Apple has released a new slew of products in the run up to the holiday season including the new iPad Air, the iPad mini with a Retina display, the radically designed Mac Pro and an updated MacBook Pro. Along with these products Apple also released OS X 10.9 Mavericks which addresses some significant security vulnerabilities in OS X. Apple also released updates for iOS, OS X Server, Safari and iTunes.
Over 50 different security related bugs (with individual CVE designations) have been fixed. The most interesting of these include:
- A fix to enable TLS 1.2 for CIFS networking as SSLv3 and TLS 1.0 are subject to a protocol weakness when using block ciphers. According to Apple, a man-in-the-middle attacker could have injected invalid data, causing the connection to close but revealing some information about the previous data. If the same connection was attempted repeatedly the attacker may eventually have been able to decrypt the data being sent, such as a password.
- Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This was due to a buffer underflow in the handling of PDF files.
- A malicious local application could cause a crash in the Bluetooth subsystem which could potentially be exploited. The problem was that the Bluetooth USB host controller was deleting interfaces too early.
- By registering for a hotkey event, an unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled.
The Darwin kernel was also updated to fix a variety of problems that in some cases could force a kernel panic. These included:
- Use of SHA-2 digest functions in the kernel may result in an unexpected system termination. This bug revolved around an incorrect output length that was used for the SHA-2 family of digest functions. It resulted in a kernel panic when these functions were used, primarily during IPSec connections.
- The kernel random number generator would hold a lock while satisfying a request from userspace, allowing a local user to make a large request and hold the lock for long periods of time, denying service to other users of the random number generator. This issue was addressed by releasing and reacquiring the lock for large requests more frequently.
- The kernel would panic when an invalid user-supplied iovec structure was detected. This issue was addressed through improved validation of iovec structures.
- Unprivileged processes may be able to cause an unexpected system termination or arbitrary code execution in the kernel.
- Source specific multicast program may cause an unexpected system termination when using Wi-Fi network
- An attacker on a local network can send specially crafted IPv6 ICMP packets and cause high CPU load. The issue was addressed by rate limiting ICMP packets before verifying their
- An integer truncation issue existed in the kernel socket interface, which could be leveraged to force the CPU into an infinite loop. The issue was addressed by using a larger sized variable.
Lots of third party applications where also updated including Curl, dyld, OpenLDAP, Perl, Python and Ruby.
iOS 7.0.3 is also now available and addresses more passcode and lock screen related problems:
- A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped while a notification was being swiped and while the camera pane was partly visible. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed.
- When returning to the passcode lock from the Phone app, the passcode entry view is sometimes visible when it should not be, and so may be accessed even if the iPhone has been disabled due to many incorrect passcode attempts.
- A person with physical access to the device may be able to call arbitrary contacts because of a race conditions in the Phone app at the lock screen. Under various circumstances, the Phone app may allow access to the Contacts pane.
While OS X 10.9 includes the latest iteration of Apple’s web browser (Safari 7), Apple has also updated Safari 6 for OS X Lion v10.7.5, OS X Lion Server v10.7.5, and OS X Mountain Lion v10.8.5. Safari 6.1 fixes a number of problems most of them within WebKit, the rendering engine used by Apple and Google. Many of the bugs listed were previously fixed by Google in Chrome.
- Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This was due to a memory corruption in the handling of
- XML files.
- Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, this time due to multiple memory corruption in WebKit.
- An information disclosure issue existed in XSSAuditor. This issue was addressed through improved handling of URLs.
- Dragging or pasting a selection may lead to a cross-site scripting attack. By dragging or pasting a selection from one site to another a user could allow scripts contained in the selection to be executed in the context of the new site. This issue is addressed through additional validation of content before a paste or a drag and drop operation.
- Using the Web Inspector disabled Private Browsing.
- A cross-site scripting issue existed in the handling of URLs. This issue was addressed through improved origin tracking.
OS X Server 3.0, iTunes and Apple Remote Desktop
Apple also released OS X Server 3.0 which addressed a number of security vulnerabilities including a buffer overflow that existed in FreeRADIUS when parsing the ‘not after’ timestamp in a client certificate, when using TLS-based EAP methods. As a result of this, a remote attacker may have been able to cause a denial of service or arbitrary code execution.
Apple released two new versions of it Remote Desktop software, v3.7 and v3.5.4. Both versions fix the same security related bugs, the most severe of which could allow a remote attacker to execute arbitrary code because of a format string vulnerability in the handling of the VNC username.
Windows users also get an update in the form of iTunes 11.1.2. Several different errors are fixed, most are related to WebKit and are similar to the ones fixed in Safari 6.1.
More information about all of Apple’s security related updates can be found at http://support.apple.com/kb/HT1222